Windows 10 Managing, Deploying and Configuring – December 2, 2015

Rick Trader

3 years ago

In this recorded Windows 10 training webinar from December 2, 2015, Windows Server instructor Rick Trader presents the deployment and management of Windows 10 Enterprise and the new Provisioning capability in Windows 10. Learn how to manage Windows 10 deployments using System Center Configuration Manager, Mobile Device Management and Intune. Also included in his presentation are enhancements to Active Directory and Group Policy Management. For more, see our Windows 10 Blogs that Rick referenced in the video webinar.

About the instructor:

Rick Trader’s experience includes proficiency with Network Administration, Computer Repair and Configuration, Network Operating System Implementation and Network Infrastructure. He was the program Lead for the TechTrax Career Program at InterfaceTT and was responsible for curriculum and exam development as well as ensuring the success of the career changer students Rio Salado Community College Adjunct Faculty Member of the Year.

Video Trascription

Hi, I’m Rick Trader, a staff instructor here at Interface Technical Training. Today, I’m going to be going over the deployment and management of Windows 10 which is Module 2 of the First Look for the Windows 10 environment.

Module 1: Windows 10 Features and Navigation was conducted by Steve Fullmer. Module 3: Windows 10 Security – What’s New and Improved? is conducted by Mike Danseglio. Module One was Introduction and Module 3 will be Security. If you see these guys in the videos this is kind of what they look like. If you go onto our corporate website, and I’m going to be referencing this a couple times throughout the next couple sessions, on our corporate website you’ll see Steve, he’s our great flamethrower here, and Mike over here is our Men In Black.

Steve normally covers the Windows client operating systems and Mike is our security guy, but the one reason I want to show you our website is each one of us, when we’re doing our sessions will be talking about our blog content. Some of the content I’ll be talking about in this you’ll be able to find more content on the blogs. So if you come in, you go to Tech Blogs, and you’ll be able to find each of the instructors. You’ll also be able to search for specific content.

In one of the sessions I’m going to be talking about the Enterprise Mode for Internet Explorer. There’ll be a blog for that. There’ll be blogs on RSAT tools. If you’re going to be coming up and wanting more information after the session that’ll be the best place to find it.

In my sessions, I’ll be covering how to deploy Windows 10. I’ll also be covering this new capability that is being introduced here in Windows 10 referred to as provisioning. You’ll see that’s actually a really cool concept. We’ll talk about managing, which will be talking about system centered configurations manager, the mobile device management. We’ll talk a little bit about Intune. We’ll also be talking a little bit about group policy management.

We’re going to finish up with the new concepts of Microsoft with the update for business will be how we finish up, and each one of these will be its own separate video. So you’ll be able to find these separately when you go up to our website.

In my sessions, I’ll be covering how to deploy Windows 10. I’ll also be covering this new capability that is being introduced here in Windows 10 referred to as provisioning. You’ll see that’s actually a really cool concept. We’ll talk about managing, which will be talking about system centered configurations manager, the mobile device management. We’ll talk a little bit about Intune. We’ll also be talking a little bit about group policy management.

We’re going to finish up with the new concepts of Microsoft with the update for business will be how we finish up, and each one of these will be its own separate video. So you’ll be able to find these separately when you go up to our website.

Module two of the Windows 10 First Look Clinic. Deploying and Managing of the Windows 10 Environment. In this session, we’re going to be looking at how do we actually deploy Windows 10, whether it be through an In-Place upgrade, a wipe and load, or a new capability called Provisioning. In Provisional, we talked in more detail in module number three.

So, if we want to do a wipe and load, our traditional installation, which is things we’ve been doing ever since the beginning of time in the IT infrastructure is, we receive a brand new computer and we need a deploying operating system on it, there’s not an operating system on it, our only option would be to do a installation. Whether it be through a deployment mechanism such as WDS or a third‑party product, or we need to sit down at the machine with the installation meeting and actually install it.

The second option, which is Microsoft’s preferred option and a lot of us have seen this over the past few months is, an In-Place upgrade. You receive from Microsoft, maybe through an upgrade process or you’ve received, through your customer support or Software Assurance, your ability to get the Windows operating system. The In-Place upgrade is our preferred mechanism. We can upgrade from Windows 7 operating systems through Windows 10. A new capability in Windows 10, that we’ll discuss in more detail in lesson 2, is a new feature called Provisioning.

The ability for a user or us, as IT, to order a computer from a vendor, we go out to a store and we buy a computer, or we purchase computers through some type of contract, and the machine comes to us and it’s already got the Windows 10 Operating System on it. In the past we would go out and we would either do a Wipe and Load, or we’d spend many hours configuring that machine. Through Provisioning, we now have the ability to configure that computer exactly the way we need it for our corporate environment.

In-Place upgrade:

First of all, what happens? If I am going to do an In-Place upgrade, and I currently have Windows 7, Windows 8, Windows 8.1, or even Windows 10 environment, we’re going to take our Windows directory and we’re going to move it to what’s called a ‘Windows.old’ folder. That way, we have the ability to roll back to the Windows 10 environment or the previous operating system with the Windows 7, Windows 8, or Windows 8.1. We can do this for up to 30 days. We’re going to keep that environment around for 30 days. After 30 days, the folder will still be there but you won’t be to roll back to your previous operating system. So as the operating system is installed, the first thing we do is, it’s going to go out, it’s going to inventory, and it actually does an application compatibility, and a driver compatibility to make sure that the applications are currently supported by the Windows 10 environment and the Windows hardware is also supported.

One of the concerns that a lot of corporations are having is the new Windows Edge browser. The Windows Edge browser is not compatible with every website that’s currently out there. Especially, some of the websites you might actually have, as internal websites. So, what has happened is, the Edge browser doesn’t run Java. What happened is back in Windows 7, when IE 11 came out, there was a lot of websites that didn’t run in IE 11. So, Microsoft came up with a new capability called ‘Enterprise Mode for IE 11.’ What this really did was, it took IE 11, when I went to a website that wasn’t supported by IE 11, it used IE 8’s compatibility settings.

In Windows 10, we now have the ability to create an Enterprise Mode for IE 11 and what will happen is, I’ll create a corporate list of what websites need to be supported by IE 11. Now, when a user goes to that website, that website will be launched in IE 11 instead of the Edge browser. It’s actually alleviating a lot of the problems a lot of the organizations are having with websites not launching in IE or in the Edge browser. This will be one of the things that you’ll want to concern yourselves during the upgrade. If you want to have more information about the Enterprise Mode of IE 11, check our blogs. I have a blog up there that’s named ‘Enterprise Mode for IE 11.’ I’ll show you how to configure it and all the settings that go in place.

Once the upgrade has completed, our Windows 10 environment will now be on our desktop.

Why would we do an upgrade? First of all, all of our hardware is compatible with Windows 10. We have all of our device drivers with Windows 10. To date, the Windows 7, Windows 8, and Windows 8.1 drivers, all work in Windows 10. All of our applications that worked in Windows 7, Windows 8, and Windows 8.1, worked in Windows 10.

If our operating system is Windows 7, Windows 8, or Windows 8.1, we support that upgrade to Windows 10 if we’re going same architecture to same architecture. If we’re going from one architecture to a different architecture, we will need to do a Wipe and Load, or a Wipe and Reinstall, or a clean install. Things that would make us do a clean install: let’s say we’re running Windows 7 and Windows 7 was running strictly under bios as the startup environment, and now we want to support the UEFT, or the UEFI, environment, we would have to do a clean install.

If our hard drive is partitioned, and we don’t want it to be the same partitioning, we would have to do a clean install. If we’re currently running a 32‑bit OS, and we want to go to a 64‑bit OS, we would need to do a clean install. If we are going from one language to another language, we would need to do a clean install. One of the things that’s mentioned up here is this Domain Change. We don’t necessarily have to do a clean install if we’re doing a domain change, but it is also recommended that you to do a domain change.

Then finally, if all of our applications are going to change, we’re changing versions of the apps, we’re getting rid of apps we’re no longer using in our corporation, we would want to do a Clean Install.

Module three of the deploying and managing the Windows 10 environment is the actual management of Windows 10 itself.

First of all, in Windows 10 they have these things called identities. They introduced this back in the Server 2012 days, so now, Windows 10 being fully compatible and integrated with Azure Active Directory.

The ability to either have user to log into our on‑premises active directory environment, or logging into the Azure Active Directory. A lot of times, you’ll see this abbreviated as AAD, as the Azure Active Directory. This is usually ADDS which is an acronym has been around forever.

It all depends on where that user or that computer is being authenticated at. For our management tools, we’ve had the same management tools we’ve always had along. As long as the user is part of the active directory domain, there are now group policy settings that are specifically for Windows 10. Controlling things like direct access. Controlling the Edge browser, that is specifically for Windows 10.

This is part of the brand new RSAT tool for Windows 10. If you’re currently running RSAT on a Windows 8.1 box, or a Windows 7 box, or 2012 box, you’ll need to download the RSAT tool for Windows 10. There is a 32‑bit and a 64‑bit. Make sure you get the right one.

Windows 10 is 100 percent compatible with SCCM. Whether it be for the management of the Windows 10 environment, or deployment of the Windows 10 environment. We also have, for deployment up here, the MDM which is Intune, that’s kind of messy and it’s got third‑party tools.

If I’m going to manage my products from the cloud or from Azure, we’re going to be using MDM and Intune. There’s over 3,600 line items in the Windows group policy management console. We don’t need all of those if the client machine is being managed from the cloud. We’re going to see a stripped down version of those capabilities in the Intune environment.

For Windows updates, this is actually going to be covered in more detail in lesson four. If the computer is part of our consumer environment, and it’s not part of our domain, it’ll automatically get Windows updates. Some of us have already seen that.

If the computer is a part of our active directory environment, whether it be on‑premise or in the cloud, we still have the ability for them to do the WSUS, or the Windows Server Update Services. We can control those updates. We’re going to see in lesson number four, and there’s actually some new terms we’re going to talk about. We’ll see them then.

If the computer is a member of the cloud, we can control updates through the Intune environment. Infrastructure hasn’t changed. If we’re on‑premise environment, the computer will have to be joined to the domain. It’ll have to have user credentials and computer credentials, whether it be to get group policy or to get the Windows updates, or WSUS updates.

If they’re a member of the cloud, they’re going to have to be joined to the cloud. We’ll see this on the next slide.

The whole thought of processes is the support. Both company‑owned laptops or devices. Whether that be Windows devices or those devices that might support the choose your own device, or CYOD, or the bring your own device, or the BYOD, environment. Can all be now supported in our environment, depending on how we want to manage them.

Looking at management techniques or managing content, a lot of people have heard of this thing called System Center Configuration Manager, or SCCM. SCCM can manage both Windows 10 environment, whether it be SCCM from 2008. All the way through, SCCM can manage the Windows 10 computers. We don’t need anything special.

There may be some service packs, or hot fixes that you’ll have to apply to SCCM to get them to be able to deploy in a Windows 10 environment. But, it’ll still work. Here’s the biggie, if you want to deploy Windows 10, and you want to use SCCM to deploy it, you must be using SCCM 2012 or later. In order to deploy Windows 10. SCCM for 2008 and 2008 R2 and Windows 2007 does not does not support deploying the Windows 10 product.

Also, we have a brand new Microsoft deployment toolkit 2013, that allows us to deploy the Windows 10 environment. So, if you wanted to use MDT, you’ll have to make sure you have 2013 or later. Again, that’s not a management tool. It’s strictly a deployment tool.

If our computers are a combination of company‑owned or corporate‑owned computers, and they’re going to be joining to our on‑prem environment, or they’re going to be joining to our Azure Active directory environment, or AAD environment, we have the ability through Federated Services to synchronize those two environments together.

What it actually allows is a user has an SSO, or single sign‑on. Whether they’re logging into a corporate environment on‑prem, or logging into the cloud, so they can access things like Office 365, they can use their one set of credentials. They don’t have to keep remembering what the credentials are.

If we’re using, bring your own devices, or the BYOD, we have to use the cloud based environment. There’s a change here, and a change in terminology. There’s a term called device registration. Brand new term. All this is, is we’ve used it in the past called Workplace Join. Workplace Join and Device Registration are the same capabilities. They just changed what the content is and what the name is in the Windows 10 environment in the cloud.

For group policies, if you have a Windows 10 environment, you want to be able to manage Windows 10 group policies. You want to be able to manage the Edge browser, or you want to manage the new start screen, or the desktop environment. You’ll need to be running the group management console from a Windows 10 computer. Which means you’ll need to download the Windows 10 RSAT tools from the Microsoft Download Center.

Coming over from the old environment, we still have support for ipv6 and group policies. Couple of the biggies is, if you remember in Windows 8 and server 2012, Microsoft really simplified the ability to configure direct access. Windows 10 uses the same direct access connectivity that Windows 8 did. So, we don’t have to worry about certificates that we did in Windows 7.

The other one is, out of the box, on an in‑house machine. Windows Remote Management is disabled by default. One of the things you’re going to want to do is, on your Windows 10 computers that are on‑prem. You’re going to want to go and enable Remote Management. Here’s one of the biggest reasons why.

In server 2012 GPMC, or the Windows 8 GPMC, they now gave us the ability to do a remote GP update to those machines. I can go into an OU at the group policy management console, and actually force an update to all the Windows 8 or later computers that are in our environment now.

We can do that with Windows 7, but we had to ensure that all the Windows 7 blocks we had installed be at least powered to E3 to meet those capabilities.

The other changes out there is, the Microsoft Desktop Authorization Pack, or Induc. You’re going to need Induc 2015 for this to function. But they’re all with Induc 2015, now have capabilities of managing the Windows 10 environment.

First of all, is the advanced group policy management console. This is the console that allows us to install on Windows 10. That will allow us to be able to check‑in and check‑out group policies before they’re modified. That’s the ability to approve changes to group policies. It also creates an archive for group policies

This is not a new product. It’s been around for quite a while. There’s a 2012 version. There’s a 2002 version. There’s a Windows 8, Windows 8.1, Windows 7 version and 2008 R2. ABV is upgraded from ABV4 to ABV5. Allows us to go out and control virtualizations of the desktops.

There’s a new version of the diagnostic center recovery tool that allows us a 1PE environment, to boot to our Windows 10 computers. Also gives us a Windows operating system, so we can get into Windows 10.

The biggie down here is the BitLocker administration and monitoring. First of all, one of the things that we can do now is If we have a computer that has BitLock on it, it allows us to get into pre‑recovery environment, and allows us to launch the URL to be able to recover that machine. So, I can get into it. The recovery agent without having to put in the recovery agent key.

Finally, UE‑V. It’s been around forever. A couple things that were added to Windows 10. Roaming desktops. The ability with roaming printers in the past. You couldn’t connect to a printer. It didn’t follow you around. It is aware of whether we are connecting to the cloud.

Those are all the changes that have made the Induc for 2015 to support the Windows 10 environment. So, if you don’t have the Induc for 2015, you’re not going to be able to manage your Windows 10 environment from now.

Lesson Four of the module on “Deploying and Managing the Windows 10 environment,” is all about the supporting the Windows 10, specifically. We’re going to be looking at Windows update and Windows update for business.

First of all, Microsoft has now come out with really four different Update options. With the first Update option being our traditional update which is the “Consumer Grade Update.” Which is users will automatically get updates to their machines.

They really have no control of the update. They can’t plan when you update, is ran. They also can’t test the update. Not really conducive to a business environment, especially an enterprise, but that is the first option.

The second option if you’re running the Professional version or the Enterprise version of Windows 10 is this brand new capability. We haven’t heard this term before called, “Current Branch for Business,” or CBB. If we enroll in this update mechanism, what allows us to do as an administrator is to postpone an update for up to 90 days.

As an example, let’s say and update comes out and in this environment that update crashes your Surface Pro. You have to do a “Clean install” or “Rollback” from that. Here, because I could have waited 90 days or postponed that update for 90 days. I could have ensured that we didn’t get that update and didn’t crash our environment.

A couple of the biggies about this is, first of all, it allows us to deploy it through the WSUS environment or through Windows update for business. Either mechanism allows us to deploy it.

The third mechanism which has been around for quite a long time. The “Long‑term Servicing for Business,” or what they refer to as LTSB. I use this as an example because I spent 21 years in the Navy.

If I have a mission critical operating system that is running one of my servers or maybe running one of my file control systems. I don’t want that file control system to be updated with a service pack, a hotfix, or a patch that hasn’t been certified yet for that particular system. If you are in an environment such as a hospital where you’ve got, maybe devices that are being run for life support.

You don’t want those devices to be updated without being certified. So what LTSB allows us to do as an administrator, once we subscribe to it, and this is actually a completely separate licensing mechanism, is if you go up to the MSDN center or you go up and you purchase it. You’ll actually purchase Windows 10 Enterprise LTSB. The actual version is a completely different SKU.

What this allows us to do is security patches will be approved through us, through the WSUS environment to be all deployed to our machines. What it ultimately allows us to do is make sure that we do not install or configure an update on our machines that are not going to be compatible that can cause a mission critical system to go down on us. It allows us more control of our environment.

Microsoft has really thought this out, so what they’ve done is inside Microsoft, they have their “Engineering Builds” where they get tested. Then they send them internally to Microsoft for the Microsoft employees to test something out. Now if you think about the Windows 10 deployment this is exactly what happens with Windows 10.

It was tested through different builds at Microsoft. Eventually, they went out and they asked for users to be apart of their Insider Program. As a member of the Insider Program, you’ve got Windows 10 as a build on a machine. Routinely throughout that build process the computer I had, would get updates.

Whether it be service packs, hotfixes, or features were installed in the environment so that the windows 10 computer was constantly updated. Then it got deployed out to the consumer environment, which again is, the hundreds of millions of users, gets deployed out to the consumer environment. They test their machines, they run their machines.

Then eventually if your are the Current Branch for Business or CBB or even the TSB, the environment, you have the ability through WSUS to download those updates, get those updates configured for you and then you can test them. Maybe that’s your sales department. Then you test it out on your marketing department.

Then you test it out on your productions department, and then finally you might send it and deploy it to your marketing department so that it’s a scheduled deployment so you’re not taking out all the machines at one time. But it gives you more control and this will all be controlled through WSUS. This is really a lot like what we’ve been doing in today’s environment with WSUS.

We go on out and configuring the environment. To review the stuff that we talked about in this module is we stated off with the of deployment of Windows 10. Where we talked about initially things like whether or not we are going to do a wipe and replace or a wipe and load. Do we go out and are we going to install a new operating system, because of a change of architecture or maybe a change of language.

Or the fact that we get a computer that doesn’t have an operating system at all. We also talked about upgrades. What is the upgrade process and how is the upgrade process run? We looked at the operating systems that are running Windows 7 and later support the upgrade.

One of the things that I may not have mentioned earlier is Enterprise edition SKUs do not support the free update. But you can update through Software Assurance. We talked about a brand new feature in Windows 10 called “Provisioning” that uses the ICD which is part of the Automated Deployment Kit, or the Assessment and Deployment Kit.

The ability to create answer files so that we can bring a brand new computer out of the box into our environment, and be able to install the Windows 10 operating system. Configure it up to our corporate standards whether it be naming the machine, joining the computer to the domain, deploying applications or even changing the SKU.

We looked at the products that can manage our Windows 10 environment. We looked at the difference between Active Directory Domain Services as your active directory. We looked at whether or not the user is using GPOs or using MDM.

We also looked at the new capabilities of the Microsoft Desktop Optimization Kit, the MDOP, which is the 2015 version.

Then we finished up looking at Windows 10 with your line of business apps. We looked at the CBB, your business updates, and we also looked at your Long‑term Updates.